Blog

Security updates, practical field notes, and deep dives from the project.

Apr 30, 2026 • 5 min

Mini Shai-Hulud Jumps to PyPI: Lightning Package Backdoored to Drain Developer Credentials

Two malicious versions of the PyTorch lightning training package activate silently on import, sweeping developer credentials, cloud provider secrets, cryptocurrency wallets, and CI pipeline tokens from the affected machine.

Read post

Apr 29, 2026 • 9 min

Mini Shai-Hulud Hits SAP: Four npm Packages Backdoored With a Bun-Powered Credential Harvester

A preinstall hook in four SAP packages drops an 11.7 MB credential stealer onto developer machines and CI runners, targeting cloud secrets, GitHub tokens, and Actions secrets.

Read post

Mar 31, 2026 • 10 min

Axios NPM Hijack: Maintainer Account Compromised, RAT Deployed

The lead axios maintainer's npm account was hijacked and two malicious versions deployed a cross-platform RAT via a pre-staged dropper package. With ~100M weekly downloads, this is among the most impactful supply-chain attacks on record.

Read post